Vera Bradley, Inc. - (VRA)
10-K Filing Date: March 29, 2024
Item 1C. Cybersecurity
Cyber Risk Management and Strategy
We have an enterprise risk assessment process which specifically addresses risks associated with cybersecurity. Additionally, we have a cyber security incident response plan that outlines the structure, roles, responsibilities and operating procedures to utilize during potentially significant events that could negatively impact the Company. Our cybersecurity incident response plan provides a documented framework for handling high severity security incidents and includes facilitated coordination across multiple functions of the Company. Our incident response plan also includes identifying and responding to material risks from cybersecurity threats associated with our use of third-party service providers. We invest in threat intelligence and are active participants in industry and government forums to strive to improve our overall capabilities with respect to cybersecurity. We routinely perform reviews of threat intelligence and vulnerability management capabilities, while performing simulations and drills at both technical and management levels. Our formal cybersecurity program is modeled after industry best practice global standards and best practices. We incorporate external expertise in all aspects of our program utilizing best practice guidance from third-party cybersecurity advisors to provide objective assessments of our capabilities. We maintain a cyber liability insurance program, although the coverage may not be sufficient in some circumstances. We also have policies and practices in place to address data privacy regulations. Our cybersecurity program is reviewed and assessed by external information security specialists or by our internal audit group at least annually. Further, we conduct annual cybersecurity awareness training for employees and targeted training for high-risk functions of the Company. We also conduct phishing exercises and correlated education with our employees.
Governance Related to Cybersecurity Risks
Our Vice President of Enterprise Technology Solutions is responsible for the strategic leadership and direction of the Company's information technology organization and possesses 25 years of tenure and experience with the Company in matters of privacy assurance, cyber, digital, and data security. As part of its risk oversight role, our Audit Committee of the Board of Directors oversees cyber risk, information security and technology risk, including management’s actions to identify, assess, mitigate and remediate material cybersecurity issues and risks. The Audit Committee receives regular reporting from our Vice President of Enterprise Technology Solutions on our technology and cyber risk profile, enterprise cybersecurity program and key enterprise cybersecurity activities.
We experienced no material cybersecurity incidents in fiscal 2024.